Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Crustyoldbloke

Posted 04 June 2005 - 07:51 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello xxxxxxx and welcome to Geeks to Go

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.Click here: http://www.microsoft...p1/default.mspxApply the update, reboot, and post a fresh Hijack This log.

Crustyoldbloke

Posted 04 June 2005 - 11:48 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello Cindi and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have a mixture of different malware to be cleaned. Letís see what we can do.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable AOL Spyware Protection from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

Go to Start>Run and type Services.msc then hit OKScroll down and find this service:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

SvcProc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Crustyoldbloke

Posted 05 June 2005 - 03:33 AM

Your HJT log is virtually the same as before with the exception of the 023 entry, SvcProc, which has gone.

From your earlier comments, I take it you did not complete the rest of the fix due to you not seeing a window open after you clicked OK in HJT. If the file was already missing, then there would be no reason to reboot, ergo it wouldn't give you that option.

Please continue with the previous fix (miss out the 023 fix).

I am not sure why you think that you can't reboot or you have deleted something to stop you from rebooting.

0

Advertisements

cidni

Posted 05 June 2005 - 11:51 AM

cidni

Member

Topic Starter

Member

13 posts

Hi Phil, Thanks again. The fix I ran as per your request seems to have worked.I did see a prgram I was not familiar with... The ABI Network - Division of Direct Income. Should I delete that also? Below is the HijackThis log that I ran before loggin on.

Crustyoldbloke

Posted 05 June 2005 - 01:15 PM

Itís looking better, but the ones that are still here are tied in with The ABI Network - Division of Direct Income. They will go this time.

I note that you are still running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

cidni

Posted 05 June 2005 - 03:15 PM

This was not there to delete even though the log shows it as being there( so I skipped deleting it of course )( this also happened during my last attempt but I forgot to mention it before )

2: The ABI Network - Division of Direct Income

This would not delete when I tried in Safe mode under the Add/Delete programs so I had to go to MYPCTUNEUP.com to downlaod the uninstall & I uninstalled it ( I believe that this is the source of the AURORA spyware pop-up problem & that is the web site it is under ). Then I checked under safe mode again under ADD/DELETE programs to see if it was gone & it was GONE then.

3: In safe mode, I set my system to show all files & confirmed that it was done but when I went to reset it back to hide files after rebooting normally it had already gone back to hide files ( I double checked this & each time I redid the process, it had already gone back to hide the files on it own )

I hope this solves most if not all of the problems. I appreciate all your efforts & I will be donating to your fund ASAP. Thank you again & please let me know if I should do anything else to fix / prevent this from happening again.

Crustyoldbloke

Posted 05 June 2005 - 05:13 PM

We are getting there and winning the battle. Letís just finish it now.

Press Control+Alt+Del to enter the Task Manager.

Click on the Processes tab and end the following process:

C:\WINDOWS\System32\uvrvkgj.exe

Exit the Task Manager when finished.

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Please delete this file (if present) using Windows Explorer:

C:\WINDOWS\System32\uvrvkgj.exe

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.*In the Killbox programme, select the Delete on Reboot option.*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\uvrvkgj.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

again IS NOT there to check the box even though it shows as being there everytime when I copy the report for you to look here( it is appearing in the log below AGAIN but not when I scan & go to check off to delete ( ugh ).....